在 Android (flutter) 应用程序中安全地保存 API 密钥 [英] Securely Saving API Keys In Android (flutter) Apps

问题描述

我知道这个问题已经被问过很多次了.我已经阅读了所有这些.我已在 Google 中搜索过此问题，但仍有一些问题无法找到答案.

I know that this question has been asked many times. I've read all of them. I've searched this in Google but I still have questions that I wasn't able to find answers for.

目前我正在我的应用程序中存储 API 密钥.是的，这是一种不好的做法.现在据我所知，我可以使用 ProGaurd 或 DexGaurd 进行混淆.我还可以使用 Keystore 来安全地存储我的 api 密钥.现在对于这部分'我的问题:- 混淆会更改变量和类的名称.当有人反编译 apk 文件时，我的 API 密钥仍将在该应用程序中.当然可能需要更多时间，但又需要多少时间?例如20分钟?我觉得最重要的是，如果他们投入一些时间和精力，他们可以使用此密钥.我弄错了吗?

Currently I'm storing API Keys in my app. Which yes is a bad practice. Now to the best of my knowledge I can use ProGaurd or DexGaurd to obfuscate. I can also use Keystore to securely store my api keys. Now for this part here' my question: - Obfuscation changes the name of variables and classes. My API Key will still be in that app when someone decompiles the apk file. Sure it might take more time, but how much more is it? For example 20 minutes? I feel like the bottom line is that they can use this key if they put some time and effort. Am I getting this wrong?

现在我在不同网站上看到的另一个答案是我可以将我的密钥存储在服务器上，然后通过我的应用程序进行通信.

Now the other answer that I've seen on different websites was that I can store my keys on a server and then communicate that through my app.

• 这怎么可能?服务器将把 api 密钥发送到应用程序.如果黑客找到了这个 url，他们可以打开它并获取密钥.如果我使用密钥访问 URL，那么我将进入一个永无止境的密钥循环.我该怎么做?

• How is that even possible? A server is going to send the api key to the app. If the hacker finds this url they can just open it and get the key. If I use a key to access the URL then i'm entering a never ending loop of keys. How would I do this?

有人说我可以加密我的密钥，然后在收到应用程序后解密它们.但是人们不能反编译我的解密函数并找出我的密钥吗?

Someone said that I can encrypt my keys and then decrypt them in the app once it's received. But can't people decompile my decryption function and figure out my key?

我还被告知 Firebase 远程配置将成为存储我的密钥的安全方法.但是还有一个问题

I was also told that Firebase Remote Config is going to be a safe method for storing my keys. But then there's another problem

• 这种方法有多安全?

• 如果我使用 google services json 文件来标识我的项目，那么人们不能从删除配置部分获取我的密钥吗?因为我在我的控制台上看不到删除配置的任何设置，以便说明谁可以访问这个，谁不能.如何将我的 API 密钥安全地存储在 Firebase 上?

• How much safer is this method?

• If I'm using a google services json file to identify my project, can't just people get my keys from the remove config part? Because I can't see any settings for remove config on my console in order to say who can access this and who can't. How can I securely store my api keys on Firebase?

黑客不能只是反编译 apk 并更改代码并从我的 firebase 帐户中提取数据吗?因为谷歌服务 json 就在那里.如果他们打印提取的数据，他们可以访问所有内容吗?

And can't hackers just decompile the apk and just change the code and extract data from my firebase account? Because the google services json is there. If they print the data extracted can they access everything?

那么我到底应该怎么做才能安全地将 api 密钥用于我的第三方应用程序?其中一些 api 密钥非常有价值，其中一些只是从其他服务器获取信息.我只想知道存储这些密钥的最安全方法.

So what exactly should I do to safely use api keys for my third party applications? And some of these api keys are very valuable and some of them just get information from other servers. I just want to know the safest method to store these keys.

推荐答案

如果您认为 API Key 不应该被泄露，那么您不应该将它放在应用程序中.您可以使用以下可能的解决方案

If you think API Key should not be compromised then you should not put it inside the app. You can use the following possible solutions

1. 您可以将密钥保存在服务器上，并通过您的服务器路由需要该密钥的所有请求.因此，只要您的服务器是安全的，那么您的密钥也是安全的.当然，此解决方案存在性能成本.您可以使用 SSL 固定来验证响应.检查这个
   
2. 您可以通过编程方式获取应用的签名密钥，并在每个 API 调用中发送 is to sever 以验证请求.但是黑客可以以某种方式找出策略.
3. Google 不建议将 API 密钥存储在远程配置中，但您可以在那里保留一个令牌并使用它来验证请求并发送 API 密钥.检查这个
4. 对于 Android 应用，您可以使用 Google 提供的 SafetyNet API 来验证应用的真实性，服务器可以在验证 SafetyNet 响应后为用户生成令牌.令牌可进一步用于验证请求.有一个 plugin 可用于 Flutter for SafetyNet API.

1. You can keep your keys on a server and route all requests needing that key through your server. So as long as your server is secure then so is your key. Of course, there is a performance cost with this solution. You can use SSL pinning to authenticate the response. Check this
   
2. You can get the signature key of your app programmatically and send is to sever in every API call to verify the request. But a hacker can somehow find out the strategy.
3. Google does not recommend storing API keys in remote config but you can keep one token there and use it to verify the request and send the API key. Check this
4. In the case of the Android app, you can use SafetyNet API by Google to verify the authenticity of the app and the server can generate a token for the user after verification of the SafetyNet response. The token can be further used to verify the request. There is one plugin available for Flutter for SafetyNet API.

您可以结合使用上述方法来确保 API 密钥的安全性.为了回答您的问题，Firebase 远程配置使用 SSL 连接来传输数据，它非常安全，但您不应该完全依赖它来保证您的数据安全.您也不能使用可公开访问的 API 共享 API 密钥.此外，将加密密钥和数据同时存储在应用程序中也不会使其安全.

You can use a combination of the above approaches to ensure the security of the API key. To answer your questions, Firebase remote config uses SSL connection to transfer the data, it's very much secure but you should not rely on it completely for your data security. You also can't share API keys using the APIs which are publicly accessible. Moreover, storing both the encrypted key and the data inside the app won't make it secure.

这篇关于在 Android (flutter) 应用程序中安全地保存 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！